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Foreign Collection Methods: Indicators and Countermeasures 





Reporting contacts, activities, indicators, and behaviors associated with foreign in- 
telligence entities (FIEs), a term which includes international terrorists, is required 


IDENTIFY under DoD Directive 5240.06 Counterintelligence Awareness and Reporting 
(CIAR). 
e Requests for DoD 5220.22-M “National Industrial Security Program Operating Manual 


(NISPOM)” also requires the reporting of suspicious contacts, behaviors, and activ- 
ities under Sections 1-301 and |-302 b. 


Information 


e Academic Solicitation 
The most common foreign collection methods, used in over 80% of targeting cas- 
e Suspicious Network ee ape: 


Activity e Requests for Information 


e Targeting at Trade e Academic Solicitation 7 
e Suspicious Network Activity 
Shows 


e Targeting at conferences, conventions, and trade shows 
e Solicitation and e Solicitation and Marketing /Seeking Employment 


Marketing /Seeking ° Fore ign Visits 
e_—_ Elicitation and Recruitment 
Employment 


If you suspect you may have been a target of any of the methods included here, or have 


® rorergn visits been targeted by any other method, report it immediately. 


e Elicitation 
Personnel who fail to report the contacts, activities, indicators, and behaviors may 


Se be subject to judicial and/or administrative action. 
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Failure to report can 
result in fines, prison, 


or both! 


A SCIENTIST TURNED ATTEMPTED-SPY 


For more Counterintelligence Awareness Resources click here. 









“There is 


one evil that 

I dread, and 

that is, their 
spies.” 

- General 
George 
Washington, 
1777 
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REQUESTS FOR INFORMATION 


Technique 
This method uses an information request that was not sought or encouraged. Re- 
quests may originate from known or unknown sources including: 


e Foreign companies 

e Individuals 

e Foreign government officials 
e Organizations 


Indicators 
There are several possible indicators of unsolicited and direct requests, including, 
but not limited to, those listed below. The requestor: 


e Sends a request using a foreign address 

e Has never met recipient 

e Identifies self as a student or consultant 

e Identifies employer as a foreign government 

e States that work is being done for a foreign government or program 

e Asks about a technology related to a defense program, project, or contract 

e Asks questions about defense-related programs using acronyms specific to the 
program 

e Insinuates the third party he/she works for is "classified" or otherwise sensitive 

e Admits he/she could not get the information elsewhere because it was classified 
or controlled 

e Advises the recipient to disregard the request if it causes a security problem, or 
the request is for information the recipient cannot provide due to security clas- 
sification, export controls, etc. 

e Advises the recipient not to worry about security concerns 

e Assures the recipient that export licenses are not required or not a problem 

e Fails to identify the end user 


Countermeasures 
The following countermeasures can protect against unsolicited and direct requests: 


e View unsolicited and direct requests with suspicion, especially those received 
via the internet 

e Respond only to people who are known after verifying their identity and 
address and ensuring proper authorization for release of information. 

e lf the requester cannot be verified or the request is suspicious: 


= Do not respond in any way 
= Report the incident to security personnel 


If you suspect you may have been a target of this method, report it. 





“The arrests 


of 10 


Russian 
spies last 
year 
provided a 
chilling 
reminder 
that 
espionage 
on U.S. soil 
did not 
disappear 
when the 
Cold War 


ended.” 


FBI Counter- 
intelligence 
Division, 


10/31/2011 





Foreign Collection Methods: Indicators and Countermeasures 


SOLICITATION AND MARKETING/SEEKING EMPLOYMENT 


The solicitation and seeking employment collection method may take many forms 
including, but not limited to, joint ventures or research partnerships, offering of 
services, or internship programs for foreign students. 


Technique 


e Places foreign personnel in close proximity to cleared personnel 
e Provides opportunity to build relationships that may be exploited 
e Places adversary inside facility to collect information on desired technology 


Indicators 


e Foreign visitors mail or fax documents written in a foreign language to a foreign 
embassy or foreign country 
e Foreign visitors request: 
= Access to the LAN 
= Unrestricted facility access 
— Company personnel information 


Countermeasures 
The following countermeasures may guard against this collection method: 


e Review all documents being faxed or mailed; use a translator, when necessary 
e Provide foreign representatives with stand-alone computers 
e Share the minimum amount of information appropriate to the scope of the joint 
venture/research 
e Educate employees extensively 
= Project scope 
= Handling and reporting elicitation 
e Sustainment training 
e Refuse to accept unnecessary foreign representatives into the facility 
e Develop a Technology Control Plan (TCP) 


If you suspect you may have been a target of this method, report it. 


Russian spy Christopher 
Metsos (right), swaps 
information in a “brush 
pass” with an official 
from the Russian Mis- 
sion in New York in 
2004. 

-FBI Vault, FOIA Re- 
lease 












“Dillinger or 
Bonnie and 
Clyde could 
not doa 
thousand 
robberies in 
all 50 states 
in the same 
day from 
their 
pajamas 
from 
Belarus. 
That’s the 
challenge 
we face 


today.” 


- James B. 
Comey, 
Director, 


FBI 
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SUSPICIOUS NETWORK ACTIVITY 


Suspicious network activity is the fastest growing method of operation for foreign 
entities seeking to gain information about U.S. interests. It may also be referred to 
as cyber terror, cyber threats, cyber warfare, etc. 


Technique 
An adversary may target anyone or any system at any facility, using a number of 
methods: 


e Input of falsified, corrupted data 
e Malware, malicious code, viruses 
e Hacking 

e Chat rooms-elicitation 

e Email solicitation (phishing) 


Indicators 
The following is a list of suspicious indicators related to suspicious internet activity 
and cyber threats: 


e Unauthorized system access attempts 

e Unauthorized system access to or disclosure of information 

e Any acts that interrupt or result in a denial of service 

e Unauthorized data storage or transmission 

e Unauthorized hardware and software modifications 

e Emails received from unknown senders with foreign addresses 


Countermeasures 


The following countermeasures can be taken to guard against this collection meth- 
od: 


e Develop and implement a Technology Control Plan (TCP) 
e Conduct frequent computer audits: 
= Ideally: Daily 
=> Atminimum: Weekly 
e Do not rely on firewalls to protect against all attacks 
e Report intrusion attempts 
e Direct personnel to avoid responding to or clicking on links from unknown 
sources and to report such items 
e Disconnect computer system temporarily in the event of a severe attack 


If you suspect you may have been a target of this method, report it. 
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ACADEMIC SOLICITATION 


Technique 
This method uses students, professors, scientists or researchers as collectors im- 


properly attempting to obtain sensitive or classified information. 


Requests may originate from known or unknown sources including: 


e Foreign Universities or Academic Centers 
e Individuals overseas or placed in the U.S. 
e Quasi-governmental Organizations such as research centers and institutes 


Indicators 
There are several possible indicators of academic solicitation, including, but not lim- 
ited to, those listed below: 


e Foreign students accepted to a U.S. university or at postgraduate research pro- 
grams are recruited by their home country to collect information, and may be 
offered state-sponsored scholarships as an incentive for their collection efforts. 

e US. researchers receive requests to provide dual-use components under the 
guise of academic research. 

e US. researchers receive unsolicited emails from peers in their academic field 
soliciting assistance on fundamental and developing research. 

e U.S. professors or researchers are invited to attend or submit a paper for an 
international conference. 

e Overqualified candidates seeking to work in cleared laboratories as interns. 

e Candidates seeking to work in cleared laboratories whose work is incompatible 
with the requesting individual’s field of research. 

e Intelligence entities will send subject matter experts (SMEs) requests to review 
research papers, in hopes the SME will correct any mistakes. 


Countermeasures 
The following countermeasures can protect against academic solicitation: 


e View unsolicited academic solicitations with suspicion, especially those received 
via the internet. 

e Respond only to people who are known after verifying their identity and 
address. 

e Ensure any response to known or unknown requestors includes only in- 
formation authorized for release. 

e If the requester cannot be verified or the request is suspicious: 


= Do not respond in any way 
= Report the incident to security personnel 


If you suspect you may have been a target of this method, report it. 





“Chinese 


Professors 
Among Six 
Defendants 

Charged with 
Economic 
Espionage 
and Theft of 
Trade Secrets 
for Benefit of 
People’s 
Republic of 
China.” 


- U.S. 


Department 


of Justice 


May 29, 2015 
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FOREIGN VISIT 


Technique 
Suspicious contact during a foreign visit can occur at any time and may come from: 


e One-time visitors 
e Long-term visitors 
= Exchange employees 
= Official government representatives 
= Students 
e Frequent visitors 
= Sales representatives 
= Business associates 


Indicators 
Suspicious or inappropriate conduct during foreign visits can include: 


e Requests for information outside the scope of what was approved for discus- 
sion 

e Hidden agendas associated with the stated purpose of the visit 

e Visitors/students requesting information, and then growing irate upon denial 

e Individuals bringing cameras and/or video equipment into areas where no pho- 
tographs are allowed 

e Wandering visitors using distractions to slip away 


e New visitors added to group at last minute or switching of prescreened visitors 


Countermeasures 
The following countermeasures can protect against unauthorized access by foreign 
visitors: 


e Contractors may coordinate with Defense Security Service (DSS) prior to visit 

e Prior to visit, brief hosts and escorts on approved procedures 

e Walk visitor route and identify vulnerabilities 

e Prior to the visit, notify all employees about the visit, restrictions on the visi- 
tors, and the nature of the threat 

e Debrief personnel in contact with visitors 

e Ensure visitors do not bring recording devices, including cell phones, into 
the facility 


If you suspect you may have been a target of this method, report it. 


“Via visits... that 
are 
either pre- 
arranged by 
foreign 
contingents or 
unannounced, 
these are 
attempts to 
gain access 
to and collect 
protected 


information...” 


- Defense 
Security Service, 
2015 Targeting 
U.S. 


Technologies 
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TARGETING AT CONFERENCES, CONVENTIONS, AND TRADE 
SHOWS 


This method directly links targeted programs and technologies with knowledgeable per- 
sonnel. 


Technique: 
Technical experts may receive invitations to share their knowledge 
Experts may be asked about restricted, proprietary, and classified information 





Indicators 
The following are suspicious indicators related to seminars, conventions, and trade shows. 


Prior to event: 


e Personnel receive an all-expenses-paid invitation to lecture in a foreign nation 

e Entities want a summary of the requested presentation or brief 6 — |2 months prior to 
the lecture date targeted at 

e Host unsuccessfully attempted to visit facilities in the past 


“You can be 


- any 
e Travel to event may pose targeting opportunities 
conference, 
During event: 
convention, 
e Telephone monitoring and hotel room intrusions or trade 


e Conversations involving classified, sensitive, or export-controlled technologies 


e Excessive or suspicious photography and filming of technology and products show, foreign 


e Casual conversations during and after the event hinting at future contacts or relations or 
e Foreign attendees’ business cards do not match stated affiliations 

7 339 
e Attendees wear false name tags domestic. 


e Individuals returning to same booth multiple times 
e Detailed and probing questions about specific technology 


- Defense 
Countermeasures 
. , Security 
The following countermeasures can be to guard against this collection method: 
Service 


e Consider what information is being exposed, where, when, and to whom 
e Provide employees with detailed travel briefings concerning: 
=> The threat 
= Precautions to take 
= How to react to elicitation 
e Take mock-up displays instead of real equipment 
e Request a threat assessment from the program office 
e Restrict information provided to only what is necessary for travel and hotel accommo- 
dations 
e Carefully consider whether equipment or software can be adequately protected 
e Debrief attendees after the event to identify potential suspicious activity 


If you suspect you may have been a target of this method, report it. 
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ELICITATION AND RECRUITMENT 


Intelligence officers spot and assess individuals for potential recruitment. Adversaries 
are not necessarily looking for someone with a high level of access; sometimes the po- 
tential for future access or the ability of the recruit to lead to other high value targets is 
enough to generate adversary interest. 


Technique: 

Once a potential recruit has been identified, adversaries begin to cultivate a relationship 
with that individual. In the “Development Phase,” meetings with the recruit become 
more private and less likely to be observable or reportable. By the time the 
“recruitment and handling phase” is initiated, the individual is likely emotionally tied to 


the adversary. 


Indicators 

Spotting and Assessing can take place anywhere, but is always approached in a non- 
threatening and natural manner designed to elicit information. Elicitation is the strategic 
use of conversation to subtly extract information about you, your work, and your col- 
leagues. Foreign intelligence entities elicit information using both direct and indirect ques- 
tioning. They may create a cover story to explain the line of questioning in their attempts 


to make the discussion less suspicious. 


Trade shows, business contacts, social events, or online venues such as chat rooms and 

social media, are used for this process. During the Spot and Assessment phase, the FIE 

will often explore potential exploitable weaknesses which may be used as a lever against 
the recruit. These could include: Drugs or Alcohol, Gambling, Adultery, Financial Prob- 
lems, or other weaknesses. 


The actual recruitment may involve appeals to ideological leanings, financial gain, black- 
mail or coercion, or any other of a number of motivators unique to that recruit. Some 


of these may manifest as observable and reportable behaviors. 


Countermeasures 

Any contact which suggests the employee concerned may be the target of an attempted 
exploitation by the intelligence services of another country must be reported. Do not share 
anything the elicitor or recruiter is not authorized to know, including personal information 
about yourself, your family, or your co-workers. If you believe someone is attempting to 


elicit information from you, you can: 


¢ Change the topic 

¢ Refer them to public websites 

¢ Deflect the question 

¢ Provide a vague answer 

¢ Feign ignorance and ask the elicitor to explain what they know 





Wen Chyu Liu 


Found Guilty 
January 2012, 


Trade Secret Theft 


Liu recruited 
at least four 
current and 
former 
coworkers, 
paid current 
and former 
coworkers for 
material and 
information, 
and bribed a 
coworker with 
$50,000 in 
cash to 
provide 


information. 





